|
|
|
|
|
|
by anulman
103 days ago
|
|
|
Author here; live demos within. The core issue: Stripe's Payment Intent pattern (server gets token → passes to client → client opens iframe) is safe because the blast radius is bounded; worst case, someone pays your invoice. But the same pattern applied to admin embeds (payroll, HR, financial controls) means a single XSS or compromised npm dependency can exfiltrate full admin access. The fix I'm proposing (RequestRequest) routes every iframe API call through the host page for server-side JWT signing. The iframe never holds a persistent credential. There are three interactive demos in the post, including a real race condition demo against a Durable Object. I disclosed this to two vendors in Jan 2024. Both classified it as informational. Neither has changed their architecture. |
|
|